Create a GPG key

We use GPG keys to encrypt our secrets. Documentation for using your GPG key can be found here.

Prerequisites

Install gpg if you don’t already have it. GPGtools is recommended if you are on a Mac.

Do not use the homebrew version. Mac users note there have been problems experienced by some when using homebrew installed gnupg2, where gpg can’t connect to the gpg-agent and your passphrase doesn’t get cached. For decrypting one credential that’s ok, but when decrypting the Hiera eYAML file it will ask you for your passphrase for each of the credentials.

Once installed, you will likely have both gpg and gpg2 on your machine. Always use gpg2.

Creating a GPG key (using the GUI)

GPGtools comes with a GUI which can perform most of the operations you need.

To create a new key, click “New”. The Name field should your name. For Length, you should have at least 4096.

The creation process will give you the option to upload to a public server. Say yes. You can check your key has been uploaded using the Lookup Key button in the GUI.

On the main page which lists all of your keys you can double click your key to get the required details (fingerprint and id).

See below for checking your passphrase.

Creating a GPG key (using the command line)

Create a gpg key with gpg2 --gen-key using your
digital.cabinet-office.gov.uk email address. Defaults for the questions
should be fine, although you should choose a 4096-bit key.

NOTE:
You should also generate a revocation
certificate
with gpg2 --gen-revoke and store it in a safe place (not on your
laptop, maybe a USB stick in your locker).

Upload your GPG key to a keyserver

Send your key to a keyserver by running:

gpg2 --send-keys $KEYID

If you are having problems uploading your key, it’s worth trying another keyserver. Those trying to receive your key may be connecting to a different keyserver than the one you sent your key to. This is fine, as the keyservers synchronise, but this may take some time to happen.